Security Onion Lab: Network Security Monitoring with Suricata and Zeek

Problem

Host-based monitoring through Wazuh provided excellent endpoint visibility but missed network-layer threats: lateral movement via network protocols, DNS-based C2, and encrypted traffic analysis. We needed network visibility to complement the endpoint SIEM.

Architecture

Network (SPAN Port from Core Switch)
    |
    v
Security Onion 2.4 (Standalone Deployment)
    |-- Suricata 6.x (IDS: signature detection)
    |-- Zeek 6.x (Protocol analysis + logging)
    |-- Strelka (File extraction + analysis)
    |-- Elastic Stack (Storage + visualization)
    |-- SOC Analyst Interface (Kibana)

Custom Suricata Rules

# Detect Cobalt Strike JA3 fingerprint
alert tls any any -> any any (
  msg:"Cobalt Strike JA3 Fingerprint";
  ja3.hash; content:"51c64c77e60f3980eea90869b68c58a8";
  classtype:trojan-activity;
  sid:9000001; rev:1;
)

# DNS tunneling detection
alert dns any any -> any 53 (
  msg:"DNS Tunneling - High entropy query";
  dns.query; content:"."; pcre:"/[a-z0-9]{30,}/i";
  threshold:type threshold, track by_src, count 50, seconds 60;
  sid:9000010; rev:1;
)

Results

• Full packet capture with metadata logging at 1Gbps line rate
• JA3/JA3S fingerprinting identifies encrypted C2 without payload decryption
• Zeek conn.log enables complete network connection timeline reconstruction
• Identified 3 internal hosts communicating with known-bad domains during threat hunting